Privacy Policy

We collect information that is necessary to operate the blood donor management service. Depending on your role (Admin or Moderator), we may collect the following:

We do not collect: GPS location, call logs, contacts, photos, camera data, or payment information.

• To authenticate you and manage your Admin/Moderator account securely
• To store, display, and manage blood donor profiles and donation records
• To calculate donor eligibility status based on last donation date
• To send push notifications for new donor requests and status updates
• To allow Admins to manage Moderators and their access permissions
• To generate PDF or Excel export reports of donor data for authorized users
• To display in-app analytics (monthly donation trends, blood group distribution)
• To sync data between device and server, supporting offline usage
• To provide password reset functionality via secure email deep links
• To display App Open ads (via Google AdMob) on app launch to support the free service
• To show optional Rewarded ads (via Google AdMob) when users choose to "Support the App" — entirely user-initiated

We take security seriously and implement multiple layers of protection:

• Cloud Storage: All donor data is stored on Supabase (PostgreSQL), which provides encrypted storage and Row-Level Security (RLS) policies ensuring only authorized users can access the data.
• In-Transit Encryption: All communication between the app and our servers uses HTTPS/TLS encryption.
• Local Cache Encryption: Offline data cached on your device is encrypted using AES-256 encryption and stored in Hive, a secure local database.
• Authentication Tokens: Session tokens are stored in the device's secure storage (Android Keystore / iOS Keychain) using flutter_secure_storage.
• App Lock: The app supports optional PIN and biometric lock to prevent unauthorized access.
• Moderator Deactivation: When an admin removes or deactivates a moderator, the app performs real-time force logout with no delay.

Despite best efforts, no method of electronic storage is 100% secure. We cannot guarantee absolute security, but we strive to use commercially acceptable means of protection.

Donor Care uses the following third-party services to operate. Each service has its own privacy policy:

We do not use Google Analytics, Facebook SDK, or sell your data to any advertising network. AdMob is used solely for App Open ads and operates independently of your donor management data.

We do not sell, trade, or rent your personal information to third parties. We may disclose information only in the following limited circumstances:

• Within the Organization: Donor data is shared between the Admin and their authorized Moderators within the same organization account, based on role-based permission.
• Legal Requirements: We may disclose data if required by law, court order, or governmental authority.
• Service Providers: We share necessary data only with Supabase and Firebase as described in Section 4, solely to provide the service.
• Exported Reports: When you export donor data as PDF or Excel using the app's Export feature, the resulting file is handled by your device's share sheet — we do not control what you do with exported files.

As a user, you have the following rights regarding your personal data:

• Right to Access: You can view all data associated with your account within the app.
• Right to Correction: You can edit your profile information (name) via Edit Profile settings.
• Right to Deletion:
  • Moderator accounts — can be permanently deleted by the Admin directly within the app (Manage Moderators → Remove). This also deletes the associated authentication account immediately.
  • Admin accounts — can be deleted by contacting us at rivontrn@gmail.com. We will process deletion requests within 30 days, including all associated donor data and moderator records.
• Right to Data Portability: Admin users can export all donor data as PDF or Excel at any time.
• Right to Withdraw Consent: You may disable push notifications at any time through the app's Notification Settings or your device's system settings.
• Right to Opt Out of App Lock: Biometric and PIN lock are optional and can be disabled in Security Settings.

• Account Data: Retained for as long as your account is active. Deleted within 30 days of account deletion request.
• Donor Profiles & Records: Retained as long as the Admin account managing them is active. Admins can delete individual donor records at any time.
• Push Tokens: FCM device tokens are updated on each login and removed when the user logs out.
• Local Cache: Stored on device for offline use. Automatically cleared when you log out or use the "Clear Cache" option in Sync & Storage settings.
• Local Preferences: Theme and app lock preferences are stored locally and deleted when the app is uninstalled.

Donor Care is designed for use by healthcare volunteers, blood bank administrators, and moderators in an organizational context. The app is not directed at children under the age of 13, and we do not knowingly collect personal data from children under 13.

If you believe a child under 13 has provided us with personal information without parental consent, please contact us immediately at support@donorcare.app and we will take steps to remove such information.

Donor Care uses Firebase Cloud Messaging (FCM) to send push notifications for:

• New donor registration requests awaiting approval
• Donor status changes and other platform activity

On Android 13 and above, the app will request your explicit permission to send notifications. You can:

• Grant or deny notification permission when first prompted
• Change notification preferences any time via Settings → Notification Settings inside the app
• Disable all notifications via your device's System Settings → Apps → Donor Care → Notifications

Disabling notifications does not affect the core functionality of the app.

Deep Links: The app uses Supabase-generated secure deep links for the Password Reset flow. When you request a password reset, Supabase emails you a secure link containing a one-time token. Clicking that link on your mobile device opens the Donor Care app directly (via Android App Links / iOS Universal Links). No personal data beyond your email address is transmitted through this process, and tokens expire after a short time.

Donor Care supports offline functionality using an encrypted local cache (Hive). When you are offline:

• Your previously synced donor data is available in read mode
• Actions you take offline (adding donors, donations) are queued locally as "Pending Actions"
• Once your device reconnects to the internet, pending actions are automatically synced to the server
• If you log out with unsaved pending actions, you will be warned that offline data will be lost

All locally cached data is encrypted with AES-256 and is stored only on your device. It is never transmitted to any third party except Supabase during sync.

Donor Care uses Google AdMob to display two types of ads to help cover service costs:

• App Open Ads: Shown briefly when you launch the app. Automatic — no user action required.
• Rewarded Ads: Shown only when you choose to tap "Support the App" on the Support screen. Entirely user-initiated — you can skip at any time. Watching a Rewarded ad removes App Open ads for future sessions.

• What AdMob collects: Google AdMob may collect your device's Advertising ID and app interaction signals to serve ads. This is handled entirely by Google and governed by Google's Privacy Policy.
• No donor data shared: Your donor management data (donor profiles, donation records, etc.) is never shared with or used by AdMob.
• Ad Personalization: Google may serve personalized or non-personalized ads based on your device settings and region. Opt out via Settings → Privacy → Ads on your device.

We do not receive or store any data that AdMob collects. Google acts as an independent data controller for advertising-related data.

We may update this Privacy Policy from time to time to reflect changes in the app's features or applicable laws. When we do:

• The "Last Updated" date at the top of this page will be revised
• Significant changes will be communicated via an in-app notification
• Continued use of the app after the revised policy is posted constitutes your acceptance of the changes

We encourage you to review this policy periodically.

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

We aim to respond to all inquiries within 5 business days. For account or data deletion requests, please allow up to 30 days for processing.